Bug#1029651: bullseye-pu: package libxpm/1:3.5.12-1.1~deb11u1
Control: tags -1 + confirmed
On Wed, 2023-01-25 at 21:32 +0100, Salvatore Bonaccorso wrote:
> I would like to propose to update libxpm in bullseye as well fixing
> some no-dsa tagged CVEs by simply rebuilding the package which got
> uploaded to unstable (without other changes apart addressing issues):
>
> +libxpm (1:3.5.12-1.1~deb11u1) bullseye; urgency=medium
> +
> + * Non-maintainer upload.
> + * Rebuild for bullseye
> +
> + -- Salvatore Bonaccorso <carnil@debian.org> Wed, 25 Jan 2023
> 21:19:41 +0100
> +
> +libxpm (1:3.5.12-1.1) unstable; urgency=medium
> +
> + * Non-maintainer upload.
> + * Fix CVE-2022-46285: Infinite loop on unclosed comments
> + * Fix CVE-2022-44617: Runaway loop with width of 0 and enormous
> height
> + * configure: add --disable-open-zfile instead of requiring
> -DNO_ZPIPE
> + * Fix CVE-2022-4883: compression commands depend on $PATH
> + * Prevent a double free in the error code path
> + * Use gzip -d instead of gunzip
> + * debian/rules: configure: Set explicitly runtime paths for
> {,un}compress
> + and gzip.
>
Please go ahead.
Regards,
Adam
Reply to: